Let me answer some of your questions.
You asked, "why is there FTP if it's not supposed to be exposed to internet"? The answer to that is simple: I use FTP to transfer from a regular computer to the FreeNAS, and vice versa. FTP offers pretty snappy transfers, but no encryption, so it's fine for "inside", but not necessarily "on the internet".
As for exposing FreeNAS to the internet, there are various degrees of "bad" there. Let's go from "insane" to "ok", in order, if you want to expose (all or part) of your NAS:
The worst, by far, and what is *NEVER* correct, is to open the SMB-related ports to the internet, and to remote in to the file shares directly. Your FreeNAS will be mining bitcoins for Russians and Chinese before dinner, and all of your data will be stolen, with probability 99.91%, if you do this. So never open up your SMB for disk/file sharing.
Opening up FTP to the internet is "bad". FTP is always in the clear (i.e., anyone can see your username/password), and certainly, anyone would be able to easily grab your files, and you'd have whatever other risks were associated to the ftp daemon (in this case, proftpd, you could research it if you wanted). It goes to "slightly less bad" if you change from the default FTP port to something crazy.
Opening up SSH/SFTP to the internet ranges from "mediocre" to "pretty good". If you're willing to do a little research, you'll see how to set up SSH/SFTP to only allow keypair logins. With those, this method is both pretty strongly authenticating, and well encrypted. The sshd service, itself, when in the keypair mode, offers very little attack surface. If you use SSH with password authentication, you have pretty good authentication, and the same well-encryption from before, but you do offer an attack surface for various types of hacking techniques (e.g., password guessing). As always, it's almost a necessity in my opinion to change from the default port if you're going to be on the internet with it---hackers will generally only be searching on the default port, and even though they can't get in, necessarily, they can still consume your bandwidth, jack up your logs, and so on, if they think you have vulnerable system there. If you change to a high-numbered port, they are far (FAR!) less likely to just randomly notice your running service.
The VERY BEST techniques, however, involve VPN's. Anything from OpenVPN running in a jail, on a router, whatever, down to a LogMeIn Hamachi VPN on a windows box which is providing a straight proxy for you to the SSH port on the FreeNAS. These kinds of setups offer almost no surface, whatsoever, for an illegitimate user on the internet to perform any kind of shenanigans.
WHEN they are done correctly.